Cost of UK data breaches up 7% in 2009

The cost of UK data breaches has increased 7% in the past year and 36% in the past two years, the latest annual study by the Ponemon Institute has revealed.

The cost of UK data breaches has increased 7% in the past year and 36% in the past two years, the latest annual study by the Ponemon Institute has revealed.

The study found that lost data cost between £365,000 and £3.92m to manage, which averages out at a cost of £1.68m per incident.

"The financial impact of data breaches is hitting UK organisations harder and harder each year," said Larry Ponemon, chairman and founder of the Ponemon Institute.

Each lost record cost UK organisations an average of £64 in 2009, according to the third annual UK study sponsored by data protection firm, PGP Corporation.

The biggest contributor to this cost is lost business due to reduced consumer trust, which made up £29 of the average cost per record, the study found.

The study is based on data from 25 private and eight public sector organisations that reported data losses of between 5,200 and 60,000 records from May 2009 to January 2010.

Average cost to private sector organisations was £69 pounds per record, compared with £59 in the public sector.

The main reason for the difference is that the financial impact of lost business is substantially higher for commercial firms than public organisations, the report said.

"In the commercial sector, the costs associated with customer churn and attracting new customers are particularly acute," said Ponemon.

But the study shows these firms are getting better at detection, remediation and customer communications, he said.

This is not true in the public sector, where the direct costs of a data breach are significantly higher, said Ponemon.

"For example, the cost of notifying users that their records might have been compromised is more than four times higher for public organisations," he said.

The cost of data breaches is directly related to the root cause, the study found. The most costly breaches, at an average of £81 per record, were those involving third-party organisations.

"It is always more costly when working through a third party because of all the extra processes and communications," said Phillip Dunkelberger, president and chief executive of PGP Corporation.

Conversely, in organisations where the chief information security officer (CISO) or equivalent took personal responsibility for managing the incident, costs dropped to £59 per record.

Organisations that have CISOs that report to the board and can get the necessary funding to proactively protect data, typically suffer less when hit by a data breach, said Dunkelberger.

With the Information Commissioner's Office set to impose fines of up to £500,000 for serious data breaches from April, organisations need to adopt a strategic approach to data protection, he said.

"Organisations that combine strong security leadership, well defined operational procedures and integrated security technology, will reduce their exposure to costly data losses," said Dunkelberger.

Read more on Data centre hardware